[jira] [Commented] (SOLR-11495) Reduce the list of which query parsers are loaded by default
[ https://issues.apache.org/jira/browse/SOLR-11495?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16590784#comment-16590784 ] Jan Høydahl commented on SOLR-11495: I think we should keep them enabled as is, including xmlparser, and instead focus on fixing security issues along the way as well as document how to disable qparsers in “taking Solr to production” chapter. > Reduce the list of which query parsers are loaded by default > > > Key: SOLR-11495 > URL: https://issues.apache.org/jira/browse/SOLR-11495 > Project: Solr > Issue Type: Bug > Security Level: Public(Default Security Level. Issues are Public) > Components: query parsers >Affects Versions: 7.0 >Reporter: Shawn Heisey >Priority: Major > > Virtually all of the query parsers that Solr supports are enabled by default, > in a map created in QParserPlugin.java. > To reduce the possible attack surface of a default Solr installation, I > believe that the list of default parsers should be limited to a small handful > of the full list that's available. I will discuss specific ideas for that > list in comments. > I think the bar should be very high for admission to the default parser list. > That list should only include those that are most commonly used by the > community. Only the most common parsers will have had extensive review for > security issues. > _Edit_: moved description from "Docs Text" field where it was initially added > mistakenly. -- This message was sent by Atlassian JIRA (v7.6.3#76005) - To unsubscribe, e-mail: dev-unsubscr...@lucene.apache.org For additional commands, e-mail: dev-h...@lucene.apache.org
[jira] [Commented] (SOLR-11495) Reduce the list of which query parsers are loaded by default
[ https://issues.apache.org/jira/browse/SOLR-11495?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16207916#comment-16207916 ] David Smiley commented on SOLR-11495: - +1 to everything Yonik has said here. I think instead of removing registered parsers, we should tackle SOLR-11501 +0 to removing the pre-registered xmlparser (in particular) so that you have to explicitly register it. > Reduce the list of which query parsers are loaded by default > > > Key: SOLR-11495 > URL: https://issues.apache.org/jira/browse/SOLR-11495 > Project: Solr > Issue Type: Bug > Security Level: Public(Default Security Level. Issues are Public) > Components: query parsers >Affects Versions: 7.0 >Reporter: Shawn Heisey > -- This message was sent by Atlassian JIRA (v6.4.14#64029) - To unsubscribe, e-mail: dev-unsubscr...@lucene.apache.org For additional commands, e-mail: dev-h...@lucene.apache.org
[jira] [Commented] (SOLR-11495) Reduce the list of which query parsers are loaded by default
[ https://issues.apache.org/jira/browse/SOLR-11495?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16207700#comment-16207700 ] Yonik Seeley commented on SOLR-11495: - There are two types of QParsers: those that implement a full query language (like XML parser), and those that implement a little bit of necessary functionality and are meant to be composable and used within other qparsers. For example, take the "field" qparser: it was done so clients could do a simple term filter (like when doing facet drilldowns) without having to know/care about any kind of escaping rules for the Lucene parser. QParsers are the only implemented entry points into so much of Solr's query functionality (join, graph, block-join, frange, spatial, json-dsl, payload, etc) Aside from the back compat issues, and rendering the JSON Query DSL useless, removing certain parsers for "security" reasons means that people would be wary of enabling them (and we'll get tons of questions like "is it safe to enable XYZ?"). We should fix any security vulnerabilities we know about (and parsers are no more vulnerable than other parts of the system like faceting, highlighting, etc). Aside from that, we should take things on a case-by-case basis. For example, a query parser that invoked Tika IMO that we probably would probably not want to enable by default and put in contrib instead. > Reduce the list of which query parsers are loaded by default > > > Key: SOLR-11495 > URL: https://issues.apache.org/jira/browse/SOLR-11495 > Project: Solr > Issue Type: Bug > Security Level: Public(Default Security Level. Issues are Public) > Components: query parsers >Affects Versions: 7.0 >Reporter: Shawn Heisey > -- This message was sent by Atlassian JIRA (v6.4.14#64029) - To unsubscribe, e-mail: dev-unsubscr...@lucene.apache.org For additional commands, e-mail: dev-h...@lucene.apache.org
[jira] [Commented] (SOLR-11495) Reduce the list of which query parsers are loaded by default
[ https://issues.apache.org/jira/browse/SOLR-11495?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16207667#comment-16207667 ] Shawn Heisey commented on SOLR-11495: - [~cpoerschke], IMHO: I don't know that exotic parsers really need to be contrib. We just need to ensure that they're not loaded by default. They can always be enabled in solrconfig.xml if somebody really needs the functionality and understands the risks. I'm not opposed to the idea of a contrib module, I just don't think it's really necessary. Let's see what Yonik has to say on the subject. [~arafalov], if we remove the automatic load of xmlparser, I think this is the proper syntax in solrconfig.xml (top level, right under ) to re-enable it: {code} {code} > Reduce the list of which query parsers are loaded by default > > > Key: SOLR-11495 > URL: https://issues.apache.org/jira/browse/SOLR-11495 > Project: Solr > Issue Type: Bug > Security Level: Public(Default Security Level. Issues are Public) > Components: query parsers >Affects Versions: 7.0 >Reporter: Shawn Heisey > -- This message was sent by Atlassian JIRA (v6.4.14#64029) - To unsubscribe, e-mail: dev-unsubscr...@lucene.apache.org For additional commands, e-mail: dev-h...@lucene.apache.org
[jira] [Commented] (SOLR-11495) Reduce the list of which query parsers are loaded by default
[ https://issues.apache.org/jira/browse/SOLR-11495?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16207184#comment-16207184 ] Christine Poerschke commented on SOLR-11495: Irrespective of parsers being loaded by default or not, I've started SOLR-11496 umbrella ticket to add javadocs with examples for any QParserPlugin classes that currently do not have them. Might there also be an opportunity here to consider moving some of the more exotic parsers (I would count {{defType=xmlparser}} into that category and I'm sure there are others) out of {{solr/core}} and into a new contrib? Say with 8.0 these parsers would be a contrib only? > Reduce the list of which query parsers are loaded by default > > > Key: SOLR-11495 > URL: https://issues.apache.org/jira/browse/SOLR-11495 > Project: Solr > Issue Type: Bug > Security Level: Public(Default Security Level. Issues are Public) > Components: query parsers >Affects Versions: 7.0 >Reporter: Shawn Heisey > -- This message was sent by Atlassian JIRA (v6.4.14#64029) - To unsubscribe, e-mail: dev-unsubscr...@lucene.apache.org For additional commands, e-mail: dev-h...@lucene.apache.org
[jira] [Commented] (SOLR-11495) Reduce the list of which query parsers are loaded by default
[ https://issues.apache.org/jira/browse/SOLR-11495?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16206889#comment-16206889 ] Alexandre Rafalovitch commented on SOLR-11495: -- What would enabling a disabled parser look like? Would that mean a flag passed in at startup? P.s. Is there a reason the case description is instead in the "Docs Text" field? That feels new, if not strange. > Reduce the list of which query parsers are loaded by default > > > Key: SOLR-11495 > URL: https://issues.apache.org/jira/browse/SOLR-11495 > Project: Solr > Issue Type: Bug > Security Level: Public(Default Security Level. Issues are Public) > Components: query parsers >Affects Versions: 7.0 >Reporter: Shawn Heisey > -- This message was sent by Atlassian JIRA (v6.4.14#64029) - To unsubscribe, e-mail: dev-unsubscr...@lucene.apache.org For additional commands, e-mail: dev-h...@lucene.apache.org
[jira] [Commented] (SOLR-11495) Reduce the list of which query parsers are loaded by default
[ https://issues.apache.org/jira/browse/SOLR-11495?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16206765#comment-16206765 ] Shawn Heisey commented on SOLR-11495: - If the outcome of this (after discussion and investigation) is just to remove the XML parser, I'm OK with that. I do think it would be a good idea to take a close look at each parser enabled by default just to survey the functionality and make sure that nothing can get out. > Reduce the list of which query parsers are loaded by default > > > Key: SOLR-11495 > URL: https://issues.apache.org/jira/browse/SOLR-11495 > Project: Solr > Issue Type: Bug > Security Level: Public(Default Security Level. Issues are Public) > Components: query parsers >Affects Versions: 7.0 >Reporter: Shawn Heisey > -- This message was sent by Atlassian JIRA (v6.4.14#64029) - To unsubscribe, e-mail: dev-unsubscr...@lucene.apache.org For additional commands, e-mail: dev-h...@lucene.apache.org
[jira] [Commented] (SOLR-11495) Reduce the list of which query parsers are loaded by default
[ https://issues.apache.org/jira/browse/SOLR-11495?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16206526#comment-16206526 ] Yonik Seeley commented on SOLR-11495: - XML is the special case here... it's introduced security exploit after security exploit because of it's ability to make HTTP calls itself. I think disabling other parsers is the wrong approach and will frustrate users while not really increasing security (they are not inherently less secure if you exclude XML). In addition, the JSON query DSL depends on these qparsers (that's how it's boolean was implemented). Many of these are "plugins" instead of "builtins" just out of a matter of convenience, and I'd argue they are inherently an integral part of the query language. > Reduce the list of which query parsers are loaded by default > > > Key: SOLR-11495 > URL: https://issues.apache.org/jira/browse/SOLR-11495 > Project: Solr > Issue Type: Bug > Security Level: Public(Default Security Level. Issues are Public) > Components: query parsers >Affects Versions: 7.0 >Reporter: Shawn Heisey > -- This message was sent by Atlassian JIRA (v6.4.14#64029) - To unsubscribe, e-mail: dev-unsubscr...@lucene.apache.org For additional commands, e-mail: dev-h...@lucene.apache.org
[jira] [Commented] (SOLR-11495) Reduce the list of which query parsers are loaded by default
[ https://issues.apache.org/jira/browse/SOLR-11495?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16206486#comment-16206486 ] Gus Heck commented on SOLR-11495: - It would be nice if this were paired with a convenient but reasonably secure way to enable anything no longer included by default. By convenient, I mean centralized... i.e. not editing a file on every deployed node. > Reduce the list of which query parsers are loaded by default > > > Key: SOLR-11495 > URL: https://issues.apache.org/jira/browse/SOLR-11495 > Project: Solr > Issue Type: Bug > Security Level: Public(Default Security Level. Issues are Public) > Components: query parsers >Affects Versions: 7.0 >Reporter: Shawn Heisey > -- This message was sent by Atlassian JIRA (v6.4.14#64029) - To unsubscribe, e-mail: dev-unsubscr...@lucene.apache.org For additional commands, e-mail: dev-h...@lucene.apache.org
[jira] [Commented] (SOLR-11495) Reduce the list of which query parsers are loaded by default
[ https://issues.apache.org/jira/browse/SOLR-11495?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16206467#comment-16206467 ] Shawn Heisey commented on SOLR-11495: - This is how I think we should initially define the default list: {code} map.put(LuceneQParserPlugin.NAME, LuceneQParserPlugin.class); map.put(FunctionQParserPlugin.NAME, FunctionQParserPlugin.class); map.put(DisMaxQParserPlugin.NAME, DisMaxQParserPlugin.class); map.put(ExtendedDismaxQParserPlugin.NAME, ExtendedDismaxQParserPlugin.class); {code} This list corresponds to these parser names: lucene, func, dismax, edismax I almost didn't include the function query parser in that list. It is one of the more complex parsers we have, and therefore might be potentially vulnerable to exploit ... but I think it's probably so commonly used that it would break a lot of installs to remove it. For a lot of the remaining parsers, there are strong arguments for inclusion in the default list, but anytime a parser is considered for inclusion, we need to weigh how widely used that parser is against the possible risks of increasing the attack surface. Is the terms query parser likely to be exploitable? That would take a code review to determine. > Reduce the list of which query parsers are loaded by default > > > Key: SOLR-11495 > URL: https://issues.apache.org/jira/browse/SOLR-11495 > Project: Solr > Issue Type: Bug > Security Level: Public(Default Security Level. Issues are Public) > Components: query parsers >Affects Versions: 7.0 >Reporter: Shawn Heisey > -- This message was sent by Atlassian JIRA (v6.4.14#64029) - To unsubscribe, e-mail: dev-unsubscr...@lucene.apache.org For additional commands, e-mail: dev-h...@lucene.apache.org